{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-4946", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-19T05:22:38.122Z", "datePublished": "2025-07-02T09:23:23.696Z", "dateUpdated": "2026-04-08T16:41:48.194Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:48.194Z"}, "affected": [{"vendor": "Odin_Design", "product": "Vikinger", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.9.32", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Vikinger theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the vikinger_delete_activity_media_ajax() function in all versions up to, and including, 1.9.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: Requires Vikinger Media plugin to be installed and active."}], "title": "Vikinger <= 1.9.32 - Authenticated (Subscriber+) Arbitrary File Deletion via vikinger_delete_activity_media_ajax Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22d8f1db-1b7e-4b68-a381-01f51dd34b2b?source=cve"}, {"url": "https://themeforest.net/item/vikinger-buddypress-and-gamipress-social-community/28612259"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "timeline": [{"time": "2025-07-01T20:29:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-02T13:02:05.885473Z", "id": "CVE-2025-4946", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:14:28.922Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4946", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-02T13:02:05.885473Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:06:44.950Z"}}], "cna": {"title": "Vikinger <= 1.9.32 - Authenticated (Subscriber+) Arbitrary File Deletion via vikinger_delete_activity_media_ajax Function", "credits": [{"lang": "en", "type": "finder", "value": "Friderika Baranyai"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "Odin_Design", "product": "Vikinger", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.9.32"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-01T20:29:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22d8f1db-1b7e-4b68-a381-01f51dd34b2b?source=cve"}, {"url": "https://themeforest.net/item/vikinger-buddypress-and-gamipress-social-community/28612259"}], "descriptions": [{"lang": "en", "value": "The Vikinger theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the vikinger_delete_activity_media_ajax() function in all versions up to, and including, 1.9.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: Requires Vikinger Media plugin to be installed and active."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:48.194Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4946", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:41:48.194Z", "dateReserved": "2025-05-19T05:22:38.122Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-02T09:23:23.696Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Vikinger theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the vikinger_delete_activity_media_ajax() function in all versions up to, and including, 1.9.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: Requires Vikinger Media plugin to be installed and active."}, {"lang": "es", "value": "El tema Vikinger para WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de archivo en la funci\u00f3n vikinger_delete_activity_media_ajax() en todas las versiones hasta la 1.9.32 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, eliminen archivos arbitrarios en el servidor, lo que puede provocar f\u00e1cilmente la ejecuci\u00f3n remota de c\u00f3digo al eliminar el archivo correcto (como wp-config.php). Nota: Requiere que el complemento Vikinger Media est\u00e9 instalado y activo."}], "id": "CVE-2025-4946", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-02T10:15:23.227", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/vikinger-buddypress-and-gamipress-social-community/28612259"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22d8f1db-1b7e-4b68-a381-01f51dd34b2b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T22:43:32.973167+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the Vikinger theme (\u22651.9.33) which removes the vulnerable function or adds proper path validation.", "If an upgrade is not immediately possible, remove or disable the Vikinger Media plugin, or modify the theme to restrict the vikinger_delete_activity_media_ajax() endpoint to administrators only.", "Re\u2011configure WordPress file\u2011system permissions so that the web\u2011server user cannot delete arbitrary files, and audit uploaded content to ensure no files outside the intended directories remain accessible."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Deletion leading to Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Vendors and products affected are Odin Design's Vikinger theme for WordPress. All released versions up to and including 1.9.32 are susceptible. The issue manifests when the theme is used on any WordPress installation that has the Vikinger Media plugin installed and active.", "description_and_impact": "The Vikinger theme contains an insufficient file path validation flaw in the vikinger_delete_activity_media_ajax() function that allows authenticated users with Subscriber level or higher to delete any file located on the server. An attacker can delete critical files such as wp-config.php, which can immediately lead to remote code execution or complete site compromise. The vulnerability is conditioned on the presence of the Vikinger Media plugin and requires the user to have the appropriate WordPress role.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity vulnerability that can be exploited remotely. The EPSS score of 6% suggests that at present the likelihood of exploitation in the wild is low but non\u2011negligible. Because the attack requires only a logged\u2011in user with Subscriber or greater privileges, the barrier to entry is low for site owners. The vulnerability does not appear in the CISA KEV catalog, but if exploited it can result in file deletion, site downtime, and potential remote code execution. Attackers would typically trigger the misconfigured AJAX endpoint to perform the deletion."}}}}, "created": "2025-07-13T21:48:04.988868+00:00", "updated": "2026-04-28T22:45:25.947884+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}